Low tech Romney tax return hack could be lesson in physical security

So, we read that one or more hackers claim to have gained access to Mitt Romney’s tax records, reported first in a Nashville paper, then in the tech/business press. The hack allegedly took place at the Franklin office of PriceWaterhouseCoopers just outside of Nashville, and PWC has alleged that no such thing happened. We have to say authorities are still investigating the veracity of the claims, so this whole post is written under a cautious “if this is true” disclaimer.

Politics aside, what we find particularly interesting is that the scammers lay out exactly how they purportedly gained access, and it’s hardly high tech. In their own words, here’s how the hackers say they got in:

Romney’s 1040 tax returns were taken from the PWC office 8/25/2012 by gaining access to the third floor via a gentleman working on the 3rd floor of the building. Once on the 3rd floor, the team moved down the stairs to the 2nd floor and setup shop in an empty office room.

In other words, they say they gamed/gained physical access to the records system/storage, seemingly without much trouble. This hearkens back to the days where notorious hackers like Kevin Mitnick and his contemporaries had their heyday mostly through social engineered scams–less about the technology and more about gaining people’s confidence–and using that to exploit systems.

Recently, during a cyberwarfare class put on by the Securing Our eCity Foundation, a guest speaker talked about low tech hacks. While the title seems innocuous enough, the instructor, Chey Cobb, who has experience protecting some of our nation’s biggest secrets, pointed out that massive system disruption has been caused, and seemingly invincible security has been toppled, by things like a piece of heavy equipment digging through the fiber trunk outside a target’s building, or posing as an air conditioner contractor and getting into protected places. There are a host of other simple entry points and techniquesâ€¦no high tech required.

So, the Romney tax document crew continues, During the night, suite 260 was entered, and all available 1040 tax forms for Romney were copied. Sounds simple. And here’s what they wrote to PWC:

“We were able to gain access to your network file servers and copy over the tax documents for one Willard M Romney and Ann D Romney. We are sure that once you figure out where the security breach was, some people will probably get fired but that is not our concern.”

Without specific details it’s hard to say how they got into the network file servers, but a former PWC employee has confirmed that with such access, the records in question could have been viewed from that office. Again, we say “if this is true” but here’s the point we can make anyway: You cannot neglect physical security if your systems offer access to sensitive data. Also, it’s important but basic to restrict access to copying sensitive files to a USB drive. Whether bad guys have physical access to a file server, or just a networked workstation with access to the corporate file share, both should be protected against unauthorized access and data exfiltration via removable media.

These are simple steps, and all but the most basic organizations can put them in place without breaking the budget. We’ll wait to see how the investigation ends, but right away you can start assessing your own security stance. Ask yourself if a bad actor would be discovered in a spare office in your organization, staying after hours? Would you be able to detect bad guys popping a USB key into a machine and trying to copy sensitive files, potentially with personally identifiable information? If they answer is yes, it might be a good time to beef up physical and also basic security at your firm, especially if you happen to be an accounting firm, or one that deals in high confidence data, regardless of your field.

I think this is one of the most important and overlooked aspects of security in these increasingly (overly) comfortable "in the cloud" times. This blog speaks directly to a recent visit to a large scale medical facility (we do not speak it's name!) just 10 minutes prior to their closing. As the front office was under renovation, a make-shift front office was comprised of 4 6' tables with 5 PC's, open file folders, and office supplies galore. There was not a soul in site, however, there were 3 PC's fully logged on and waiting. After roaming the halls and calling out for someone, I decided to leave in high hopes that a hacker would not decide to walk in directly after me and access any information they so chose. When I finally discussed this with the staff, they told me that they are "not allowed to lock the doors" and it remains open. On the opposite side of the issue, look at Alan Turing's work with the German Enigma machine and the Bombe. Low tech access, high volume results, but for the better. Seems as though the Dark Night Film has a loose connection to that story-line, but with reverse intentions. We can never be too safe, and it's always worth the extra moment it takes to assess risk. I'm an optimist at heart and by nature, but It only benefits all to prepare for the worst even when you expect the best. Thanks for sharing this thought – I hope people take note.

Andrea Ebbing

Additionally, no matter what level of education or ubringing, I would be willing to bet that a majority of the more recent Mellennials do not fully understand the idea of a "Paper Trail" and therefor high level graduate "interns" and/or assistants etc. do not fully realize the consequences for such human error as leaving very privelaged information (either their own, their boss, parents, etc.) in a less than secure area. This could be due to the fact that their entire life consists of real time information, new apps, and the latest technology. Socially and environmentally, they are living in a "Be Green / Paper Free" world which may lead some to believe that "written" information is irrelevant, which unfrotunatley (as we can see in this particular Romney example) as we know, the polar opposite. In fact, having that kind of information readily available (even if by igonrance or mistake) only increases the efficiancy and productivity of the perpetrator.